Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
naturalmovement 6 hours ago

Maybe worry about Linux malware which is a major problem right now everyone is in huge denial about, instead of throwing shade at a hobby OS emulating a 25 year old version of Windows.

ReactOS isn't the one that just had one of its package repos owned (again).

nvr219 5 hours ago | parent | next [-]

What's the major Linux malware problem that everyone is ignoring

shakna 5 hours ago | parent [-]

AUR got hit recently [0], by what looks like more work of TeamPCP and friends.

EDIT: Worth noting, Arch ain't hosted on AUR. That's the community side only.

[0] https://archlinux.org/news/active-aur-malicious-packages-inc...

Grombobulous 4 hours ago | parent [-]

I would still note that this is not some kind of unique problem to Linux. There have been documented instances of malware making it to the Play Store, which is supposed to have a much more rigorous vetting process than AUR and costs actual money to publish on.

shakna 4 hours ago | parent [-]

Just to expand... When the above user is comparing to Windows, who got most of the US government breached, I do think shade against AUR is uncalled for. Its just a community host for packages, comes with warnings, and isn't enabled by default, etc.

I can still happily upgrade via pacman without fear. Haven't been able to update on Windows without concern for over a decade - the malware comes builtin.

[0] https://www.cisa.gov/sites/default/files/2024-03/CSRB%20Revi...

nvme0n1p1 4 hours ago | parent | prev [-]

Isn't it funny how such incidents on Linux are rare enough that they make headlines, but on Windows that's been the baseline expected state of things for so long that nobody bats an eye anymore.

Btw if you're running an OS that's never had a malware incident, please, tell us!

jiggawatts a minute ago | parent | next [-]

Conversely, this kind of attack: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

...is essentially impossible to pull off against commercial operating systems, because their core components are all written in-house by staff with photo ID badges, details on file with HR, tax returns on file with the government, and a cubicle that makes sure that they're locals and not some faceless anonymous hacker identifiable by nothing other than a throwaway faked email address!

I get that there was a lot of "stigma" about open source, the world largely forgot about it, but... actually, it's a very real risk.

"Jia Tan" was almost certainly a paid professional hacker working for a nation-state actor. Their "helpful contributions" to XZ utils was nowhere near a full-time effort. They certainly had "other irons on the fire", most probably in the Linux kernel or immediately adjacent to it.

He's probably not the only one doing this kind of "work".

For all you know, Linux has more remote exploits purposefully baked into it than Windows has security bugs inadvertently left in it... and don't forget Linux has bugs leading to security vulnerabilities too! Like this one: https://en.wikipedia.org/wiki/Copy_Fail

hurtigioll 3 hours ago | parent | prev [-]

Windows stopped having serious malware problems at least 10 years ago

the ransomware campaigns would have happened on any OS enterprises use, because they were not security flaws in the OS